Password Field - mysql admin - PHPBuilder Forums

Password Field - mysql admin

phpcelta

I'm trying to create a login page and I can connect to my database. The problem I am having is when comparing the password.

For example :

SELECT user_id, username FROM users WHERE username='$u' AND password=MD5('$p')

wont return anything, it never finds the password field. I have tried in Mysql to put md5, sha1, password, and cant get it to work. If I take out the password part , it will return the field. THe problem is comparing the password, it never gets a row.

Thanks in advance

roscor

 if(preg_match('/^[a-zæøåÆØÅ0-9_-]{4,}$/i', $_POST['username'])){
        $user = $_POST['username'];     

    }
        else {
        $error1 .= "<font face='Verdana' size='2' color='#FF0000'>Error: on Text box USERNAME, Do not use invalid characters ? < > . , - + = ~ # @ | \ / '' ' : ; { } [ ] * ^ ! etc.";
             }   

  if(preg_match('/^[a-zæøåÆØÅ0-9_-]{4,}$/i', $_POST['password'])){
        $passw = md5($_POST['password']);
    }
        else {
        $error2 .= "<font face='Verdana' size='2' color='#FF0000'>Error: on Text Box PASSWORD, Do not use invalid characters ? < > . , - + = ~ # @ | \ / '' ' : ; { } [ ] * ^ ! etc.";
            }   


include("dbinfo.inc.php");
$conn = mysql_connect($host, $username, $password) or die(mysql_error());
mysql_select_db($database,$conn) or die(mysql_error());
$query="SELECT * FROM users WHERE  username ='$user' and password ='$passw'";
$result = mysql_query($query) or die ("Could not run query.");

 if (mysql_num_rows($result) == 1) {

//if authorized, get the values of username	

$user = mysql_result($result,0, 'username');
$user_id = mysql_result($result,0, 'user_id');


$_SESSION['valid_user']=$user;
$_SESSION['user_id']=$user_id;

}
 else

 {

echo "<td align='center'><font face='Verdana' size='2' color='#FF0000'>Login Failed. <br />[<a href=logon_page.php>Go back and try again</a>]<br><br>";
echo "$error1<br><br>";
echo "$error2<br>";
    exit;          

  } 

?>

use this on a login page (eg login.php) with a basic form that links using two text boxes username and password within the form which posts

<FORM METHOD="POST" ACTION="login.php">
<STRONG>Username:</STRONG>&nbsp;<INPUT TYPE="text" NAME="username" value="<? echo $user; ?>"><br><br>
<STRONG>Password:</STRONG>&nbsp;&nbsp;<INPUT TYPE="password" NAME="password" value="<? echo $passw; ?>"></p>
<P><INPUT TYPE="SUBMIT" NAME="submit" VALUE="login" 
&nbsp;&nbsp;<input type="reset" name="reset">
</FORM>

The form is then sent to login and checked for any invalid characters, if ok the database is checked, a value will result in SESSION being set which can then be used on all appropiate pages the meber can have access to, not forgetting to use <?php session_start(); at the top of each session using page. You can then stop any person not entitled by using

<?PHP session_start();
if (empty($_SESSION['valid_user'])){
header("location:../logon_page.php");
exit();
}
?>

Very basic but works, good luck

NogDog

How are the passwords stored in the database? Were they, in fact, hashed; or are they stored as plain text. If hashed, do you know what hashing mechanism was used, along with any salt value(s)?